Although the user will have to authorize the PDF viewer (e.g. Adobe Reader) to launch the program, it is still bad since attackers can control the message that is displayed to the user during that authorization process. If the message is convincing enough, unsuspecting users will authorize the launch.
The scary part is that all of this takes place without exploiting any Adobe or PDF vulnerability, since this process is allowed by the official PDF spec.
Stevens also demonstrated that attackers could embed a program inside the PDF file for execution -- and this is exactly what is happening with the latest PDF malware that is currently circulating by email.
At the moment, this latest PDF malware uses the following subject lines:
setting for your mailbox user@domain.com are changed
setting for your mailbox are changed
Its message body looks like:
SMTP and POP3 servers for user@domain.com mailbox are changed. Please carefully read the attached instructions before updating settings.
It has an attachment, which could be a PDF file named doc.pdf or a zip file called open.zip, and embedded in the PDF file is a worm executable called game.exe.
Malware emails tend to evolve frequently, so the above subject lines and message body may change soon. A very good security practice to help reduce the risk of infection would be to configure Adobe Reader to not allow the launching of programs using these instructions on Adobe's blog.
If you're an IT manager, you may wish to inform your end-users about this latest round of PDF malware and advise them not to open any attachment from unknown users, no matter how convincing the email is. The above instructions on Adobe's blog also contain steps to use registry settings to disable that launch setting and to grey out the checkbox to prevent end-users from turning on the setting.
0 comments:
Post a Comment